reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/disable-ciphers-not-supported-by-OpenSSL-DES.patch b/poky/meta/recipes-connectivity/openssh/openssh/disable-ciphers-not-supported-by-OpenSSL-DES.patch
deleted file mode 100644
index 8a2d1a0..0000000
--- a/poky/meta/recipes-connectivity/openssh/openssh/disable-ciphers-not-supported-by-OpenSSL-DES.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 265eaab8b39d8d8721224a48eefed5bf1696d353 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Wed, 18 Apr 2018 21:58:32 +0800
-Subject: [PATCH] disable ciphers not supported by OpenSSL DES
-
-While compiling openssl with option `no-des', it caused the openssh
-build failure
-...
-cipher.c:85:41: error: 'EVP_des_ede3_cbc' undeclared here (not in a function);
-...
-
-OpenSSL configured that way defines OPENSSL_NO_DES to disable des
-
-Suggested by dtucker@
-
-Upstream-Status: Submitted [openssh-unix-dev@mindrot.org]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- cipher.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/cipher.c b/cipher.c
-index c3cd5dc..86558e1 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -82,7 +82,9 @@ struct sshcipher {
-
- static const struct sshcipher ciphers[] = {
- #ifdef WITH_OPENSSL
-+#ifndef OPENSSL_NO_DES
- { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-+#endif
- { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
- { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
- { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
---
-2.7.4
-
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/init b/poky/meta/recipes-connectivity/openssh/openssh/init
index 34ba0f8..8887e3a 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh/init
+++ b/poky/meta/recipes-connectivity/openssh/openssh/init
@@ -36,7 +36,7 @@
}
check_config() {
- /usr/sbin/sshd -t $SSHD_OPTS || exit 1
+ /usr/sbin/sshd $SSHD_OPTS -t || exit 1
}
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
@@ -48,19 +48,19 @@
@LIBEXECDIR@/sshd_check_keys
check_privsep_dir
start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
- echo "done."
+ echo "done."
;;
stop)
- echo -n "Stopping OpenBSD Secure Shell server: sshd"
+ echo -n "Stopping OpenBSD Secure Shell server: sshd"
start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd
- echo "."
+ echo "."
;;
reload|force-reload)
check_for_no_start
@LIBEXECDIR@/sshd_check_keys
check_config
- echo -n "Reloading OpenBSD Secure Shell server's configuration"
+ echo -n "Reloading OpenBSD Secure Shell server's configuration"
start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
echo "."
;;
@@ -68,7 +68,7 @@
restart)
@LIBEXECDIR@/sshd_check_keys
check_config
- echo -n "Restarting OpenBSD Secure Shell server: sshd"
+ echo -n "Restarting OpenBSD Secure Shell server: sshd"
start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
check_for_no_start
check_privsep_dir
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/ssh_config b/poky/meta/recipes-connectivity/openssh/openssh/ssh_config
index 9e91915..e0d0238 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/poky/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
+# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
@@ -31,14 +31,14 @@
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
-# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
+# IdentityFile ~/.ssh/id_ecdsa
+# IdentityFile ~/.ssh/id_ed25519
# Port 22
-# Protocol 2,1
-# Cipher 3des
-# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
-# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
+# Protocol 2
+# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
+# MACs hmac-md5,hmac-sha1,umac-64@openssh.com
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 5463b1a..1931dc7 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/poky/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -56,35 +56,23 @@
esac
done
-# parse location of keys
-HOST_KEY_RSA=$(grep ^HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$(grep HostKey "${sshd_config}" | grep _rsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_RSA}" ] && HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
-HOST_KEY_DSA=$(grep ^HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$(grep HostKey "${sshd_config}" | grep _dsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_DSA}" ] && HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
-HOST_KEY_ECDSA=$(grep ^HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$(grep HostKey "${sshd_config}" | grep _ecdsa_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ECDSA}" ] && HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
-HOST_KEY_ED25519=$(grep ^HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$(grep HostKey "${sshd_config}" | grep _ed25519_ | tail -1 | awk ' { print $2 } ')
-[ -z "${HOST_KEY_ED25519}" ] && HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key
+HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
-# create keys if necessary
-if [ ! -f $HOST_KEY_RSA ]; then
- echo " generating ssh RSA key..."
- generate_key $HOST_KEY_RSA rsa
-fi
-if [ ! -f $HOST_KEY_ECDSA ]; then
- echo " generating ssh ECDSA key..."
- generate_key $HOST_KEY_ECDSA ecdsa
-fi
-if [ ! -f $HOST_KEY_DSA ]; then
- echo " generating ssh DSA key..."
- generate_key $HOST_KEY_DSA dsa
-fi
-if [ ! -f $HOST_KEY_ED25519 ]; then
- echo " generating ssh ED25519 key..."
- generate_key $HOST_KEY_ED25519 ed25519
-fi
-
+for key in ${HOST_KEYS} ; do
+ [ -f $key ] && continue
+ case $key in
+ *_rsa_key)
+ echo " generating ssh RSA host key..."
+ generate_key $key rsa
+ ;;
+ *_ecdsa_key)
+ echo " generating ssh ECDSA host key..."
+ generate_key $key ecdsa
+ ;;
+ *_ed25519_key)
+ echo " generating ssh ED25519 host key..."
+ generate_key $key ed25519
+ ;;
+ esac
+done
diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshd_config b/poky/meta/recipes-connectivity/openssh/openssh/sshd_config
index 31fe5d9..15f061b 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/poky/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -7,7 +7,7 @@
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options change a
+# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
@@ -15,43 +15,30 @@
#ListenAddress 0.0.0.0
#ListenAddress ::
-# The default requires explicit activation of protocol 1
-Protocol 2
-
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
# Ciphers and keying
#RekeyLimit default none
# Logging
-# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin yes
+#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
-#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
@@ -59,11 +46,9 @@
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
+# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
@@ -72,7 +57,8 @@
#PasswordAuthentication yes
#PermitEmptyPasswords no
-# Change to no to disable s/key passwords
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
@@ -111,7 +97,7 @@
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
-#UseDNS yes
+#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
diff --git a/poky/meta/recipes-connectivity/openssh/openssh_7.6p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
similarity index 89%
rename from poky/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
rename to poky/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
index e11e8d7..f54dfb5 100644
--- a/poky/meta/recipes-connectivity/openssh/openssh_7.6p1.bb
+++ b/poky/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
@@ -8,11 +8,10 @@
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
-# openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
-DEPENDS = "zlib openssl10"
+DEPENDS = "zlib openssl"
DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
-SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
+SRC_URI = "git://github.com/openssh/openssh-portable;branch=master \
file://sshd_config \
file://ssh_config \
file://init \
@@ -25,13 +24,13 @@
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
- file://disable-ciphers-not-supported-by-OpenSSL-DES.patch \
"
PAM_SRC_URI = "file://sshd"
-SRC_URI[md5sum] = "06a88699018e5fef13d4655abfed1f63"
-SRC_URI[sha256sum] = "a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723"
+SRCREV = "cce8cbe0ed7d1ba3a575310e0b63c193326ae616"
+
+S = "${WORKDIR}/git"
inherit useradd update-rc.d update-alternatives systemd
@@ -46,18 +45,15 @@
inherit autotools-brokensep ptest
-# LFS support:
-CFLAGS += "-D__FILE_OFFSET_BITS=64"
-
EXTRA_AUTORECONF += "--exclude=aclocal"
# login path is hardcoded in sshd
EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
--without-zlib-version-check \
- --with-privsep-path=/var/run/sshd \
+ --with-privsep-path=${localstatedir}/run/sshd \
--sysconfdir=${sysconfdir}/ssh \
- --with-xauth=/usr/bin/xauth \
+ --with-xauth=${bindir}/xauth \
--disable-strip \
"
@@ -84,7 +80,8 @@
do_compile_ptest() {
# skip regress/unittests/ binaries: this will silently skip
# unittests in run-ptests which is good because they are so slow.
- oe_runmake regress/modpipe regress/setuid-allowed regress/netcat
+ oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \
+ regress/check-perm regress/mkdtemp
}
do_install_append () {
@@ -110,7 +107,6 @@
install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
- echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
@@ -157,7 +153,6 @@
RCONFLICTS_${PN} = "dropbear"
RCONFLICTS_${PN}-sshd = "dropbear"
-RCONFLICTS_${PN}-keygen = "ssh-keygen"
CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
@@ -165,3 +160,5 @@
ALTERNATIVE_PRIORITY = "90"
ALTERNATIVE_${PN}-scp = "scp"
ALTERNATIVE_${PN}-ssh = "ssh"
+
+BBCLASSEXTEND += "nativesdk"